Skip to main content
The Protegrity documentation suite for 7.2.1 contains a guide named Protegrity Key Management Guide.

Perform initial configuration

Requirements for the Protegrity Data Security Platform include the following specifications:
  • Drivers supporting Debian 9 with OpenSSL version 1.0.2 for version 7.2.1 of the Protegrity Data Security Platform.
  • Driver version 4.20 (fxpkcs11-debian9-ssl1.0-4.20- 4afd.tar) contains a compliant driver (fxpkcs11/x64/OpenSSL-1.0.x/libfxpkcs11.so in the tar archive).
Perform the following configuration steps:
1
Zip the following files (Protegrity recommends putting all files in a tgz archive):
  • server and client certificate files
  • client private key file
  • pkcs11 driver (libfxpkcs11.so)
  • fxpkcs11.cfg
2
Upload the files and extract them to the /opt/protegrity/hsm/external folder.
3
Set the file permissions to 744 and ensure the file owner is service_admin.
4
Set the following environment variables in the /opt/protegrity/hsm/external/hsm.env configuration file, as shown in the following example:
None
export PTY_PKCS11_LIBRARY=${HSM_DIR}/libfxpkcs11.so
export PTY_PKCS11_ENV_KEY=FXPKCS11_CFG
export PTY_PKCS11_ENV_VALUE=${HSM_DIR}/fxpkcs11.cfg
export PTY_PKCS11_SLOT=<slot_id>
5
Update the fxpkcs11.cfg as shown in the following example:
SectionParameter in the .cfg fileDescriptionValue
Config<LOG-FILE>Sets the log file location/opt/protegrity/hsm/external/fxpkcs11.log
HSM<SLOT>Sets the PKCS11 slot for the HSM
HSM<CRYPTO-OPR>Sets the Crypto Operator username to login to the Futurex HSMprotegrity
HSM<ADDRESS>Sets the IP address of the Futurex HSM
HSM<PROD-PORT>Sets the production port
HSM<PROD-TLS-CA>Sets the path to the HSM Server Certificate file/opt/protegrity/hsm/external/<server_ca_file.pem>
HSM<PROD-TLS-CERT>Sets the path to the HSM Client Certificate file/opt/protegrity/hsm/external/<client_cert_file.pem>
HSM<PROD-TLS-KEY>Sets the path to the HSM Client Private Key file/opt/protegrity/hsm/external/<client_priv_key_file.pem>
HSM<PROD-TLS-KEY-PASS>Sets the passphrase for the HSM Client Private Key file

Restart the gateway and set the PIN

After you complete the configuration, perform the following steps to restart the HSM Gateway service on ESA and set the crypto user PIN:
1
On the ESA Web UI, go to System > Services.
2
Restart the HSM Gateway service.
3
To set the user pin for the ESA to connect to the HSM, first go to Key Management > HSM > HSM on the ESA Web UI.
4
Select [ Set User Pin ].
5
Set the user PIN in the dialog box.

Test the configuration

The ESA UI has built-in functionality to verify the configuration. The test verifies connectivity and authentication to the HSM and validates whether the HSM generates random bytes to confirm successful authentication and connection.
1
On the ESA Web UI, go to Key Management > HSM > HSM.
2
Select [ Test ].
The Test HSM Connection dialog box appears. If the test succeeds, green icons appear for the tests you performed.
3
Select [ OK ].

Activate the configuration

Perform the following steps to set the HSM as active:
1
On the ESA Web UI, go to Key Management > HSM > HSM.
2
Select [ Set As Active ].
A confirmation message box appears.
3
Select [ OK ].